Azure.Identity

Primitive that combines async lock and value cache

Method that either returns cached value or acquire a lock. If one caller has acquired a lock, other callers will be waiting for the lock to be released. If value is set, lock is released and all waiters get that value. If value isn't set, the next waiter in the queue will get the lock.

An exception class raised for errors in authenticating client requests.

Creates a new AuthenticationFailedException with the specified message.

The message describing the authentication failure.

Creates a new AuthenticationFailedException with the specified message.

The message describing the authentication failure. The exception underlying the authentication failure.

A constructor used for serialization.

The . The .

Account information relating to an authentication request.

The user principal or service principal name of the account.

The authority host used to authenticate the account.

A unique identifier of the account.

The tenant the account should authenticate in.

The client id of the application which performed the original authentication

Serializes the to the specified .

The which the serialized will be written to. A controlling the request lifetime.

Serializes the to the specified .

The to which the serialized will be written. A controlling the request lifetime.

Deserializes the from the specified .

The from which the serialized will be read. A controlling the request lifetime.

Deserializes the from the specified .

The from which the serialized will be read. A controlling the request lifetime.

An exception indicating that interactive authentication is required.

Creates a new with the specified message and context.

The message describing the authentication failure. The details of the authentication request.

Creates a new with the specified message, context and inner exception.

The message describing the authentication failure. The details of the authentication request. The exception underlying the authentication failure.

A constructor used for serialization.

The . The .

The details of the authentication request which resulted in the authentication failure.

Defines fields exposing the well known authority hosts for the Azure Public Cloud and sovereign clouds.

The host of the Azure Active Directory authority for tenants in the Azure Public Cloud.

The host of the Azure Active Directory authority for tenants in the Azure China Cloud.

The host of the Azure Active Directory authority for tenants in the Azure German Cloud.

The host of the Azure Active Directory authority for tenants in the Azure US Government Cloud.

Authenticates by redeeming an authorization code previously obtained from Azure Active Directory. See for more information about the authorization code authentication flow.

Protected constructor for mocking.

Creates an instance of the ClientSecretCredential with the details needed to authenticate against Azure Active Directory with a prefetched authorization code.

The Azure Active Directory tenant (directory) Id of the service principal. The client (application) ID of the service principal A client secret that was generated for the App Registration used to authenticate the client. The authorization code obtained from a call to authorize. The code should be obtained with all required scopes. See https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-auth-code-flow for more information.

Creates an instance of the ClientSecretCredential with the details needed to authenticate against Azure Active Directory with a prefetched authorization code.

Obtains a token from the Azure Active Directory service, using the specified authorization code authenticate. This method is called automatically by Azure SDK client libraries. You may call this method directly, but you must also handle token caching and token refreshing.

The details of the authentication request. A controlling the request lifetime. An which can be used to authenticate service client calls.

Options used to configure the .

The redirect Uri that will be sent with the GetToken request.

Provides a implementation which chains the and implementations to be tried in order until one of the getToken methods returns a non-default .

This credential is designed for applications deployed to Azure is better suited to local development). It authenticates service principals and managed identities..

Initializes an instance of the .

The to configure this credential.

Sequentially calls on all the specified sources, returning the first successfully obtained . This method is called automatically by Azure SDK client libraries. You may call this method directly, but you must also handle token caching and token refreshing.

The details of the authentication request. A controlling the request lifetime. The first returned by the specified sources. Any credential which raises a will be skipped.

Options to configure the authentication flow and requests made to Azure Identity services.

Specifies the client id of the azure ManagedIdentity in the case of user assigned identity.

Enables authentication to Azure Active Directory using Azure CLI to obtain an access token.

Create an instance of CliCredential class.

The Azure Active Directory tenant (directory) Id of the service principal.

Obtains a access token from Azure CLI credential, using this access token to authenticate. This method called by Azure SDK clients.

Obtains a access token from Azure CLI service, using the access token to authenticate. This method id called by Azure SDK clients.

Options for configuring the .

The Azure Active Directory tenant (directory) Id of the service principal

Enables authentication to Azure Active Directory using Azure PowerShell to obtain an access token.

Creates a new instance of the .

Creates a new instance of the with the specified options.

Options for configuring the credential.

Obtains a access token from Azure PowerShell, using the access token to authenticate. This method id called by Azure SDK clients.

Options for configuring the .

The Azure Active Directory tenant (directory) Id of the service principal

Provides a implementation which chains multiple implementations to be tried in order until one of the getToken methods returns a non-default .

The ChainedTokenCredential class provides the ability to link together multiple credential instances to be tried sequentially when authenticating. The following example demonstrates creating a credential which will attempt to authenticate using managed identity, and fall back to Azure CLI for authentication if a managed identity is unavailable in the current environment.


             // Authenticate using managed identity if it is available; otherwise use the Azure CLI to authenticate.
            
             var credential = new ChainedTokenCredential(new ManagedIdentityCredential(), new AzureCliCredential());
            
             var eventHubProducerClient = new EventHubProducerClient("myeventhub.eventhubs.windows.net", "myhubpath", credential);

Constructor for instrumenting in tests

Creates an instance with the specified sources.

The ordered chain of implementations to tried when calling or

The details of the authentication request. A controlling the request lifetime. The first returned by the specified sources. Any credential which raises a will be skipped.

Enables authentication of an AAD service principal using a signed client assertion.

Protected constructor for mocking.

Creates an instance of the ClientCertificateCredential with an asynchronous callback that provides a signed client assertion to authenticate against Azure Active Directory.

The Azure Active Directory tenant (directory) Id of the service principal. The client (application) ID of the service principal An asynchronous callback returning a valid client assertion used to authenticate the service principal. Options that allow to configure the management of the requests sent to the Azure Active Directory service.

Creates an instance of the ClientCertificateCredential with a synchronous callback that provides a signed client assertion to authenticate against Azure Active Directory.

The Azure Active Directory tenant (directory) Id of the service principal. The client (application) ID of the service principal A synchronous callback returning a valid client assertion used to authenticate the service principal. Options that allow to configure the management of the requests sent to the Azure Active Directory service.

Obtains a token from the Azure Active Directory service, by calling the assertionCallback specified when constructing the credential to obtain a client assertion for authentication.

The details of the authentication request. A controlling the request lifetime. An which can be used to authenticate service client calls.

Obtains a token from the Azure Active Directory service, by calling the assertionCallback specified when constructing the credential to obtain a client assertion for authentication.

The details of the authentication request. A controlling the request lifetime. An which can be used to authenticate service client calls.

Options used to configure the .

Enables authentication of a service principal in to Azure Active Directory using a X509 certificate that is assigned to it's App Registration. More information on how to configure certificate authentication can be found here: https://docs.microsoft.com/azure/active-directory/develop/active-directory-certificate-credentials#register-your-certificate-with-azure-ad

Gets the Azure Active Directory tenant (directory) Id of the service principal

Gets the client (application) ID of the service principal

Protected constructor for mocking.

Creates an instance of the ClientCertificateCredential with the details needed to authenticate against Azure Active Directory with the specified certificate.

The Azure Active Directory tenant (directory) Id of the service principal. The client (application) ID of the service principal The path to a file which contains both the client certificate and private key. Options that allow to configure the management of the requests sent to the Azure Active Directory service.

Creates an instance of the ClientCertificateCredential with the details needed to authenticate against Azure Active Directory with the specified certificate.

The Azure Active Directory tenant (directory) Id of the service principal. The client (application) ID of the service principal The authentication X509 Certificate of the service principal

Creates an instance of the ClientCertificateCredential with the details needed to authenticate against Azure Active Directory with the specified certificate.

The Azure Active Directory tenant (directory) Id of the service principal. The client (application) ID of the service principal The authentication X509 Certificate of the service principal Options that allow to configure the management of the requests sent to the Azure Active Directory service.

Creates an instance of the ClientCertificateCredential with the details needed to authenticate against Azure Active Directory with the specified certificate.

Obtains a token from the Azure Active Directory service, using the specified X509 certificate to authenticate. This method is called automatically by Azure SDK client libraries. You may call this method directly, but you must also handle token caching and token refreshing.

The details of the authentication request. A controlling the request lifetime. An which can be used to authenticate service client calls.

Options used to configure the .

Specifies the to be used by the credential. If not options are specified, the token cache will not be persisted to disk.

Will include x5c header in client claims when acquiring a token to enable subject name / issuer based authentication for the .

Specifies either the specific (preferred), or use to attempt to auto-detect the region. If not specified or auto-detection fails the non-regional endpoint will be used.

Enables authentication to Azure Active Directory using a client secret that was generated for an App Registration. More information on how to configure a client secret can be found here: https://docs.microsoft.com/azure/active-directory/develop/quickstart-configure-app-access-web-apis#add-credentials-to-your-web-application

Gets the Azure Active Directory tenant (directory) Id of the service principal

Gets the client (application) ID of the service principal

Gets the client secret that was generated for the App Registration used to authenticate the client.

Protected constructor for mocking.

Creates an instance of the ClientSecretCredential with the details needed to authenticate against Azure Active Directory with a client secret.

The Azure Active Directory tenant (directory) Id of the service principal. The client (application) ID of the service principal A client secret that was generated for the App Registration used to authenticate the client. Options that allow to configure the management of the requests sent to the Azure Active Directory service.

Creates an instance of the ClientSecretCredential with the details needed to authenticate against Azure Active Directory with a client secret.

The Azure Active Directory tenant (directory) Id of the service principal. The client (application) ID of the service principal A client secret that was generated for the App Registration used to authenticate the client. Options that allow to configure the management of the requests sent to the Azure Active Directory service.

Obtains a token from the Azure Active Directory service, using the specified client secret to authenticate. This method is called automatically by Azure SDK client libraries. You may call this method directly, but you must also handle token caching and token refreshing.

The details of the authentication request. A controlling the request lifetime. An which can be used to authenticate service client calls.

Options used to configure the .

Specifies the to be used by the credential. If not options are specified, the token cache will not be persisted to disk.

Specifies either the specific (preferred), or use to attempt to auto-detect the region. If not specified or auto-detection fails the non-regional endpoint will be used.

Provides a default authentication flow for applications that will be deployed to Azure. The following credential types if enabled will be tried, in order: Consult the documentation of these credential types for more information on how they attempt authentication.

Note that credentials requiring user interaction, such as the , are not included by default. Callers must explicitly enable this when constructing the either by setting the includeInteractiveCredentials parameter to true, or the setting the property to false when passing . This example demonstrates authenticating the BlobClient from the Azure.Storage.Blobs client library using the DefaultAzureCredential, deployed to an Azure resource with a user assigned managed identity configured.


             // When deployed to an azure host, the default azure credential will authenticate the specified user assigned managed identity.
            
             string userAssignedClientId = "<your managed identity client Id>";
             var credential = new DefaultAzureCredential(new DefaultAzureCredentialOptions { ManagedIdentityClientId = userAssignedClientId });
            
             var blobClient = new BlobClient(new Uri("https://myaccount.blob.core.windows.net/mycontainer/myblob"), credential);

Creates an instance of the DefaultAzureCredential class.

Specifies whether credentials requiring user interaction will be included in the default authentication flow.

Creates an instance of the class.

Options that configure the management of the requests sent to Azure Active Directory services, and determine which credentials are included in the authentication flow.

Sequentially calls on all the included credentials in the order , , , and returning the first successfully obtained . This method is called automatically by Azure SDK client libraries. You may call this method directly, but you must also handle token caching and token refreshing.

Note that credentials requiring user interaction, such as the , are not included by default. The details of the authentication request. A controlling the request lifetime. The first returned by the specified sources. Any credential which raises a will be skipped.

Options to configure the authentication flow and requests made to Azure Identity services.

The tenant id of the user to authenticate, in the case the authenticates through, the . The default is null and will authenticate users to their default tenant. The value can also be set by setting the environment variable AZURE_TENANT_ID.

Specifies the tenant id of the preferred authentication account, to be retrieved from the shared token cache for single sign on authentication with development tools, in the case multiple accounts are found in the shared token.

If multiple accounts are found in the shared token cache and no value is specified, or the specified value matches no accounts in the cache the SharedTokenCacheCredential will not be used for authentication.

Specifies the preferred authentication account to be retrieved from the shared token cache for single sign on authentication with development tools. In the case multiple accounts are found in the shared token.

Specifies the client id of the selected credential

Specifies the client id of a user assigned ManagedIdentity. If this value is configured, then should not be configured.

Specifies the resource id of a user assigned ManagedIdentity. If this value is configured, then should not be configured.

Specifies whether the will be excluded from the authentication flow. Setting to true disables reading authentication details from the process' environment variables.

Specifies whether the will be excluded from the authentication flow. Setting to true disables authenticating with managed identity endpoints.

Specifies whether the will be excluded from the authentication flow. Setting to true disables single sign on authentication with development tools which write to the shared token cache. The default is true.

Specifies whether the will be excluded from the authentication flow. Setting to true disables launching the default system browser to authenticate in development environments. The default is true.

Specifies whether the will be excluded from the authentication flow.

A implementation which authenticates a user using the device code flow, and provides access tokens for that user account. For more information on the device code authentication flow see https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/wiki/Device-Code-Flow.

Creates a new , which will authenticate users using the device code flow.

Creates a new with the specified options, which will authenticate users using the device code flow.

The client options for the newly created .

Creates a new DeviceCodeCredential with the specified options, which will authenticate users with the specified application.

The callback to be executed to display the device code to the user The client id of the application to which the users will authenticate The client options for the newly created DeviceCodeCredential

Creates a new DeviceCodeCredential with the specified options, which will authenticate users with the specified application.

The callback to be executed to display the device code to the user The tenant id of the application to which users will authenticate. This can be null for multi-tenanted applications. The client id of the application to which the users will authenticate The client options for the newly created DeviceCodeCredential

Interactively authenticates a user via the default browser.

A controlling the request lifetime. The result of the authentication request, containing the acquired , and the which can be used to silently authenticate the account.

Interactively authenticates a user via the default browser.

A controlling the request lifetime. The which can be used to silently authenticate the account on future execution of credentials using the same persisted token cache.

Interactively authenticates a user via the default browser.

A controlling the request lifetime. The details of the authentication request. The of the authenticated account.

Interactively authenticates a user via the default browser.

A controlling the request lifetime. The details of the authentication request. The of the authenticated account.

Obtains a token for a user account, authenticating them through the device code authentication flow. This method is called automatically by Azure SDK client libraries. You may call this method directly, but you must also handle token caching and token refreshing.

The details of the authentication request. A controlling the request lifetime. An which can be used to authenticate service client calls.

Options to configure the .

Prevents the from automatically prompting the user. If automatic authentication is disabled a AuthenticationRequiredException will be thrown from and in the case that user interaction is necessary. The application is responsible for handling this exception, and calling or to authenticate the user interactively.

The tenant ID the user will be authenticated to. If not specified the user will be authenticated to their home tenant.

The client ID of the application used to authenticate the user. If not specified the user will be authenticated with an Azure development application.

Specifies the to be used by the credential. If not options are specified, the token cache will not be persisted to disk.

The captured from a previous authentication.

The callback which will be executed to display the device code login details to the user. In not specified the device code and login instructions will be printed to the console.

Enables authentication to Azure Active Directory using client secret, or username and password, details configured in the following environment variables: VariableDescription AZURE_TENANT_IDThe Azure Active Directory tenant(directory) ID. AZURE_CLIENT_IDThe client(application) ID of an App Registration in the tenant. AZURE_CLIENT_SECRETA client secret that was generated for the App Registration. AZURE_CLIENT_CERTIFICATE_PATHA path to certificate and private key pair in PEM or PFX format, which can authenticate the App Registration. AZURE_CLIENT_SEND_CERTIFICATE_CHAINSpecifies whether an authentication request will include an x5c header to support subject name / issuer based authentication. When set to `true` or `1`, authentication requests include the x5c header. AZURE_USERNAMEThe username, also known as upn, of an Azure Active Directory user account. AZURE_PASSWORDThe password of the Azure Active Directory user account. Note this does not support accounts with MFA enabled. This credential ultimately uses a , , or to perform the authentication using these details. Please consult the documentation of that class for more details.

Creates an instance of the EnvironmentCredential class and reads client secret details from environment variables. If the expected environment variables are not found at this time, the GetToken method will return the default when invoked.

Options that allow to configure the management of the requests sent to the Azure Active Directory service.

Obtains a token from the Azure Active Directory service, using the specified client details specified in the environment variables AZURE_TENANT_ID, AZURE_CLIENT_ID, and AZURE_CLIENT_SECRET or AZURE_USERNAME and AZURE_PASSWORD to authenticate. This method is called automatically by Azure SDK client libraries. You may call this method directly, but you must also handle token caching and token refreshing.

If the environment variables AZURE_TENANT_ID, AZURE_CLIENT_ID, and AZURE_CLIENT_SECRET are not specified, the default The details of the authentication request. A controlling the request lifetime. An which can be used to authenticate service client calls.

If the environment variables AZURE_TENANT_ID, AZURE_CLIENT_ID, and AZURE_CLIENT_SECRET are not specifeid, the default The details of the authentication request. A controlling the request lifetime. An which can be used to authenticate service client calls, or a default .

A implementation which launches the system default browser to interactively authenticate a user, and obtain an access token. The browser will only be launched to authenticate the user once, then will silently acquire access tokens through the users refresh token as long as it's valid.

Creates a new with the specified options, which will authenticate users.

Creates a new with the specified options, which will authenticate users with the specified application.

The client options for the newly created .

Creates a new with the specified options, which will authenticate users with the specified application.

The client id of the application to which the users will authenticate

Creates a new with the specified options, which will authenticate users with the specified application.

The tenant id of the application and the users to authenticate. Can be null in the case of multi-tenant applications. The client id of the application to which the users will authenticate TODO: need to link to info on how the application has to be created to authenticate users, for multiple applications The client options for the newly created .

Interactively authenticates a user via the default browser.

A controlling the request lifetime. The result of the authentication request, containing the acquired , and the which can be used to silently authenticate the account.

Interactively authenticates a user via the default browser. The resulting will automatically be used in subsequent calls to .

A controlling the request lifetime. The result of the authentication request, containing the acquired , and the which can be used to silently authenticate the account.

Interactively authenticates a user via the default browser. The resulting will automatically be used in subsequent calls to .

A controlling the request lifetime. The details of the authentication request. The of the authenticated account.

Interactively authenticates a user via the default browser.

A controlling the request lifetime. The details of the authentication request. The of the authenticated account.

Obtains an token for a user account silently if the user has already authenticated, otherwise the default browser is launched to authenticate the user. This method is called automatically by Azure SDK client libraries. You may call this method directly, but you must also handle token caching and token refreshing.

The details of the authentication request. A controlling the request lifetime. An which can be used to authenticate service client calls.

Options to configure the .

The tenant ID the user will be authenticated to. If not specified the user will be authenticated to the home tenant.

The client ID of the application used to authenticate the user. If not specified the user will be authenticated with an Azure development application.

Specifies the to be used by the credential. If not options are specified, the token cache will not be persisted to disk.

Uri where the STS will call back the application with the security token. This parameter is not required if the caller is not using a custom . In the case that the caller is using their own the value must match the redirect url specified when creating the application registration.

The captured from a previous authentication.

Avoids the account prompt and pre-populates the username of the account to login.

Attempts authentication using a managed identity that has been assigned to the deployment environment. This authentication type works in Azure VMs, App Service and Azure Functions applications, as well as the Azure Cloud Shell. More information about configuring managed identities can be found here: https://docs.microsoft.com/azure/active-directory/managed-identities-azure-resources/overview

Protected constructor for mocking.

Creates an instance of the ManagedIdentityCredential capable of authenticating a resource with a managed identity.

The client id to authenticate for a user assigned managed identity. More information on user assigned managed identities can be found here: https://docs.microsoft.com/azure/active-directory/managed-identities-azure-resources/overview#how-a-user-assigned-managed-identity-works-with-an-azure-vm Options to configure the management of the requests sent to the Azure Active Directory service.

Creates an instance of the ManagedIdentityCredential capable of authenticating a resource with a managed identity.

The resource id to authenticate for a user assigned managed identity. More information on user assigned managed identities can be found here: https://docs.microsoft.com/azure/active-directory/managed-identities-azure-resources/overview#how-a-user-assigned-managed-identity-works-with-an-azure-vm Options to configure the management of the requests sent to the Azure Active Directory service.

Obtains an from the Managed Identity service if available. This method is called automatically by Azure SDK client libraries. You may call this method directly, but you must also handle token caching and token refreshing.

The details of the authentication request. A controlling the request lifetime. An which can be used to authenticate service client calls, or a default if no managed identity is available.

Enables authentication to Azure Active Directory using an On-Behalf-Of flow.

Protected constructor for mocking.

Creates an instance of the OnBehalfOfCredential with the details needed to authenticate against Azure Active Directory with the specified certificate.

The Azure Active Directory tenant (directory) Id of the service principal. The client (application) ID of the service principal The authentication X509 Certificate of the service principal The access token that will be used by as the user assertion when requesting On-Behalf-Of tokens.

Creates an instance of the OnBehalfOfCredential with the details needed to authenticate against Azure Active Directory with the specified certificate.

The Azure Active Directory tenant (directory) Id of the service principal. The client (application) ID of the service principal The authentication X509 Certificate of the service principal The access token that will be used by as the user assertion when requesting On-Behalf-Of tokens. Options that allow to configure the management of the requests sent to the Azure Active Directory service.

Creates an instance of the with the details needed to authenticate with Azure Active Directory.

The Azure Active Directory tenant (directory) Id of the service principal. The client (application) ID of the service principal A client secret that was generated for the App Registration used to authenticate the client. The access token that will be used by as the user assertion when requesting On-Behalf-Of tokens. Options that allow to configure the management of the requests sent to the Azure Active Directory service.

Gets an for the specified set of scopes.

The with authentication information.The to use.A valid .Caching and management of the lifespan for the is considered the responsibility of the caller: each call should request a fresh token being requested.

Gets an for the specified set of scopes.

The .

Will include x5c header in client claims when acquiring a token to enable subject name / issuer based authentication for the .

Specifies either the specific (preferred), or use to attempt to auto-detect the region. If not specified or auto-detection fails the non-regional endpoint will be used.

Authenticates using tokens in the local cache shared between Microsoft applications.

Creates a new which will authenticate users signed in through developer tools supporting Azure single sign on.

The client options for the newly created

Creates a new which will authenticate users signed in through developer tools supporting Azure single sign on.

The username of the user to authenticate The client options for the newly created

Obtains an token for a user account silently if the user has already authenticated to another Microsoft application participating in SSO through a shared MSAL cache. This method is called automatically by Azure SDK client libraries. You may call this method directly, but you must also handle token caching and token refreshing.

The details of the authentication request. A controlling the request lifetime An which can be used to authenticate service client calls

Options to configure the authentication.

The client id of the application registration used to authenticate users in the cache.

Specifies the preferred authentication account username, or UPN, to be retrieved from the shared token cache for single sign on authentication with development tools, in the case multiple accounts are found in the shared token.

When set to true the can be used to authenticate to tenants other than the home tenant, requiring and also to be specified as well.

The captured from a previous authentication with an interactive credential, such as the or .

Specifies the to be used by the credential.

Initializes a new instance of .

The that will apply to the token cache used by this credential.

Options to configure requests made to the OAUTH identity service.

Constructs a new instance.

The host of the Azure Active Directory authority. The default is https://login.microsoftonline.com/. For well known authority hosts for Azure cloud instances see .

Gets or sets value indicating if ETW logging that contains PII content should be logged. Setting this property will not disable redaction of Content. To enable logging of sensitive the property must be set to true.

Gets the credential diagnostic options.

Enables authentication to Azure Active Directory using a user's username and password. If the user has MFA enabled this credential will fail to get a token throwing an . Also, this credential requires a high degree of trust and is not recommended outside of prototyping when more secure credentials can be used.

Protected constructor for mocking

Creates an instance of the with the details needed to authenticate against Azure Active Directory with a simple username and password.

The user account's username, also known as UPN. The user account's password. The Azure Active Directory tenant (directory) ID or name. The client (application) ID of an App Registration in the tenant.

Creates an instance of the with the details needed to authenticate against Azure Active Directory with a simple username and password.

The user account's user name, UPN. The user account's password. The Azure Active Directory tenant (directory) ID or name. The client (application) ID of an App Registration in the tenant. The client options for the newly created UsernamePasswordCredential

Creates an instance of the with the details needed to authenticate against Azure Active Directory with a simple username and password.

Authenticates the user using the specified username and password.

A controlling the request lifetime. The of the authenticated account.

Authenticates the user using the specified username and password.

A controlling the request lifetime. The of the authenticated account.

Authenticates the user using the specified username and password.

A controlling the request lifetime. The details of the authentication request. The of the authenticated account.

Authenticates the user using the specified username and password.

A controlling the request lifetime. The details of the authentication request. The of the authenticated account.

Obtains a token for a user account, authenticating them using the given username and password. Note: This will fail with an if the specified user account has MFA enabled. This method is called automatically by Azure SDK client libraries. You may call this method directly, but you must also handle token caching and token refreshing.

The details of the authentication request. A controlling the request lifetime. An which can be used to authenticate service client calls.

Options to configure the .

Specifies the to be used by the credential. If not options are specified, the token cache will not be persisted to disk.

Enables authentication to Azure Active Directory using data from Visual Studio Code.

Creates a new instance of the .

Creates a new instance of the with the specified options.

Options for configuring the credential.

Gets an for the specified set of scopes.

Options for configuring the .

The tenant ID the user will be authenticated to. If not specified the user will be authenticated to the tenant the user originally authenticated to via the Visual Studio Code Azure Account plugin.

Enables authentication to Azure Active Directory using data from Visual Studio

Creates a new instance of the .

Creates a new instance of the with the specified options.

Options for configuring the credential.

Gets an for the specified set of scopes.

Options for configuring the .

The tenant ID the user will be authenticated to. If not specified the user will be authenticated to their home tenant.

An exception indicating a did not attempt to authenticate and retrieve , as its prerequisite information or state was not available.

Creates a new with the specified message.

The message describing the authentication failure.

Creates a new with the specified message.

The message describing the authentication failure. The exception underlying the authentication failure.

A constructor used for serialization.

The . The .

Details of the device code to present to a user to allow them to authenticate through the device code authentication flow.

User code returned by the service

Device code returned by the service

Verification URL where the user must navigate to authenticate using the device code and credentials.

Time when the device code will expire.

User friendly text response that can be used for display purpose.

Identifier of the client requesting device code.

List of the scopes that would be held by token.

This class is an HttpClient factory which creates an HttpClient which delegates it's transport to an HttpPipeline, to enable MSAL to send requests through an Azure.Core HttpPipeline.

Model factory that enables mocking for the Azure Identity library.

Initializes a new instance of the class for mocking purposes.

Sets the . Sets the . Sets the . Sets the . Sets the . A new instance of the for mocking purposes.

Initializes a new instance of the class for mocking purposes.

Sets the . Sets the . Sets the . Sets the . Sets the . Sets the . Sets the . A new instance of the for mocking purposes.

IX509Certificate2Provider provides a way to control how the X509Certificate2 object is fetched.

Default Constructor.

Creates a new instance of Microsoft.Identity.Client.Extensions.Msal.MsalCacheHelper. To configure MSAL to use this cache persistence, call Microsoft.Identity.Client.Extensions.Msal.MsalCacheHelper.RegisterCache(Microsoft.Identity.Client.ITokenCache)

Passing null uses a default logger A new instance of Microsoft.Identity.Client.Extensions.Msal.MsalCacheHelper.

Performs a write -> read -> clear using the underlying persistence mechanism and throws an Microsoft.Identity.Client.Extensions.Msal.MsalCachePersistenceException if something goes wrong.

Does not overwrite the token cache. Should never fail on Windows and Mac where the cache accessors are guaranteed to exist by the OS.

Registers a token cache to synchronize with on disk storage.

Unregisters a token cache so it no longer synchronizes with on disk storage.

Extracts the token cache data from the persistent store

This method should be used with care. The data returned is unencrypted. UTF-8 byte array of the unencrypted token cache

Saves an unencrypted, UTF-8 encoded byte array representing an MSAL token cache. The save operation will persist the data in a secure location, as configured in Microsoft.Identity.Client.Extensions.Msal.StorageCreationProperties

For mocking purposes only.

Identifies the regional authority to be used for authentication.

Initializes a new instance of the structure.

The string value of the instance.

In cases where the region is not known ahead of time, attempts to automatically discover the appropriate . This works on some azure hosts, such as some VMs (through IDMS), and Azure Functions (using host populated environment variables). If the auto-detection fails, the non-regional authority is used.

Uses the for the Azure 'westus' region.

Uses the for the Azure 'westus2' region.

Uses the for the Azure 'centralus' region.

Uses the for the Azure 'eastus' region.

Uses the for the Azure 'eastus2' region.

Uses the for the Azure 'northcentralus' region.

Uses the for the Azure 'southcentralus' region.

Uses the for the Azure 'westcentralus' region.

Uses the for the Azure 'canadacentral' region.

Uses the for the Azure 'canadaeast' region.

Uses the for the Azure 'brazilsouth' region.

Uses the for the Azure 'northeurope' region.

Uses the for the Azure 'westeurope' region.

Uses the for the Azure 'uksouth' region.

Uses the for the Azure 'ukwest' region.

Uses the for the Azure 'francecentral' region.

Uses the for the Azure 'francesouth' region.

Uses the for the Azure 'switzerlandnorth' region.

Uses the for the Azure 'switzerlandwest' region.

Uses the for the Azure 'germanynorth' region.

Uses the for the Azure 'germanywestcentral' region.

Uses the for the Azure 'norwaywest' region.

Uses the for the Azure 'norwayeast' region.

Uses the for the Azure 'eastasia' region.

Uses the for the Azure 'southeastasia' region.

Uses the for the Azure 'japaneast' region.

Uses the for the Azure 'japanwest' region.

Uses the for the Azure 'australiaeast' region.

Uses the for the Azure 'australiasoutheast' region.

Uses the for the Azure 'australiacentral' region.

Uses the for the Azure 'australiacentral2' region.

Uses the for the Azure 'centralindia' region.

Uses the for the Azure 'southindia' region.

Uses the for the Azure 'westindia' region.

Uses the for the Azure 'koreasouth' region.

Uses the for the Azure 'koreacentral' region.

Uses the for the Azure 'uaecentral' region.

Uses the for the Azure 'uaenorth' region.

Uses the for the Azure 'southafricanorth' region.

Uses the for the Azure 'southafricawest' region.

Uses the for the Azure 'chinanorth' region.

Uses the for the Azure 'chinaeast' region.

Uses the for the Azure 'chinanorth2' region.

Uses the for the Azure 'chinaeast2' region.

Uses the for the Azure 'germanycentral' region.

Uses the for the Azure 'germanynortheast' region.

Uses the for the Azure 'usgovvirginia' region.

Uses the for the Azure 'usgoviowa' region.

Uses the for the Azure 'usgovarizona' region.

Uses the for the Azure 'usgovtexas' region.

Uses the for the Azure 'usdodeast' region.

Uses the for the Azure 'usdodcentral' region.

Determines if two values are the same.

The first to compare. The second to compare. True if and are the same; otherwise, false.

Determines if two values are different.

The first to compare. The second to compare. True if and are different; otherwise, false.

Converts a string to a .

The string value to convert.

Indicates whether this instance and a specified object are equal.

The object to compare with the current instance. if and this instance are the same type and represent the same value; otherwise, .

Indicates whether the current object is equal to another object of the same type.

An object to compare with this object. if the current object is equal to the parameter; otherwise, .

Returns the hash code for this instance.

A 32-bit signed integer that is the hash code for this instance.

Returns the fully qualified type name of this instance.

The fully qualified type name.

Resolves the tenantId based on the supplied configuration values.

The tenantId passed to the ctor of the Credential. The . The tenantId to be used for authorization.

A cache for Tokens.

The internal state of the cache.

Creates a new instance of with the specified options.

Options controlling the storage of the .

A delegate that is called with the cache contents when the underlying has been updated.

A delegate that will be called before the cache is accessed. The data returned will be used to set the current state of the cache.

Resets the so that tests can validate multiple calls to This should only be used for testing.

Details related to a cache delegate.

Constructs a new instance with the specified cache bytes.

The serialized content of the token cache.

The bytes representing the state of the token cache.

Options controlling the storage of the token cache.

This is an example showing how TokenCachePersistenceOptions and an AuthenticationRecord can be used together to enable silent authentication across executions of a client application.


             const string TOKEN_CACHE_NAME = "MyTokenCache";
             InteractiveBrowserCredential credential;
             AuthenticationRecord authRecord;
            
             // Check if an AuthenticationRecord exists on disk.
             // If it does not exist, get one and serialize it to disk.
             // If it does exist, load it from disk and deserialize it.
             if (!File.Exists(AUTH_RECORD_PATH))
             {
                 // Construct a credential with TokenCachePersistenceOptions specified to ensure that the token cache is persisted to disk.
                 // We can also optionally specify a name for the cache to avoid having it cleared by other applications.
                 credential = new InteractiveBrowserCredential(
                     new InteractiveBrowserCredentialOptions { TokenCachePersistenceOptions = new TokenCachePersistenceOptions { Name = TOKEN_CACHE_NAME } });
            
                 // Call AuthenticateAsync to fetch a new AuthenticationRecord.
                 authRecord = await credential.AuthenticateAsync();
            
                 // Serialize the AuthenticationRecord to disk so that it can be re-used across executions of this initialization code.
                 using var authRecordStream = new FileStream(AUTH_RECORD_PATH, FileMode.Create, FileAccess.Write);
                 await authRecord.SerializeAsync(authRecordStream);
             }
             else
             {
                 // Load the previously serialized AuthenticationRecord from disk and deserialize it.
                 using var authRecordStream = new FileStream(AUTH_RECORD_PATH, FileMode.Open, FileAccess.Read);
                 authRecord = await AuthenticationRecord.DeserializeAsync(authRecordStream);
            
                 // Construct a new client with our TokenCachePersistenceOptions with the addition of the AuthenticationRecord property.
                 // This tells the credential to use the same token cache in addition to which account to try and fetch from cache when GetToken is called.
                 credential = new InteractiveBrowserCredential(
                     new InteractiveBrowserCredentialOptions
                     {
                         TokenCachePersistenceOptions = new TokenCachePersistenceOptions { Name = TOKEN_CACHE_NAME },
                         AuthenticationRecord = authRecord
                     });
             }
            
             // Construct our client with the credential which is connected to the token cache
             // with the capability of silent authentication for the account specified in the AuthenticationRecord.
             var client = new SecretClient(new Uri("https://myvault.vault.azure.net/"), credential);

Name uniquely identifying the .

If set to true the token cache may be persisted as an unencrypted file if no OS level user encryption is available. When set to false the token cache will throw a in the event no OS level user encryption is available.

Args setnt to TokenCache OnBefore and OnAfter events.

A suggested token cache key, which can be used with general purpose storage mechanisms that allow storing key-value pairs and key based retrieval. Useful in applications that store 1 token cache per user, the recommended pattern for web apps. The value is: the homeAccountId for AcquireTokenSilent, GetAccount(homeAccountId), RemoveAccount and when writing tokens on confidential client calls clientID + "_AppTokenCache" for AcquireTokenForClient clientID_tenantID + "_AppTokenCache" for AcquireTokenForClient when tenant specific authority the hash of the original token for AcquireTokenOnBehalfOf

Data regarding an update of a token cache.

The instance which was updated.

Exposes client options related to logging, telemetry, and distributed tracing.

If true, we try to log the account identifiers by parsing the received access token. The account identifiers we try to log are: The Application or Client Identifier User Principal Name Tenant Identifier Object Identifier of the authenticated user or application

Options controlling the storage of the token cache.

The delegate to be called when the Updated event fires.

Returns the bytes used to initialize the token cache. This would most likely have come from the . This implementation will get called by the default implementation of . It is recommended to provide an implementation for rather than this method.

Returns the bytes used to initialize the token cache. This would most likely have come from the . It is recommended that if this method is overriden, there is no need to provide a duplicate implementation for the parameterless .

The containing information about the current state of the cache. The controlling the lifetime of this operation.

As tenant id is used in constructing authority endpoints and in command line invocation we validate the character set of the tenant id matches allowed characters.

PowerShell Legacy can only be used on Windows OS systems.

X509Certificate2FromFileProvider provides an X509Certificate2 from a file on disk. It supports both "pfx" and "pem" encoded certificates.

X509Certificate2FromObjectProvider provides an X509Certificate2 from an existing instance.

Helper for interacting with AppConfig settings and their related Environment variable settings.

Determines if either an AppContext switch or its corresponding Environment Variable is set

Name of the AppContext switch. Name of the Environment variable. If the AppContext switch has been set, returns the value of the switch. If the AppContext switch has not been set, returns the value of the environment variable. False if neither is set.

Argument validation.

This class should be shared via source using Azure.Core.props and contain only common argument validation. It is declared partial so that you can use the same familiar class name but extend it with project-specific validation. To extend the functionality of this class, just declare your own partial class with project-specific methods. Be sure to document exceptions thrown by these methods on your public methods.

Throws if is null.

The value to validate. The name of the parameter. is null.

Throws if has not been initialized.

The value to validate. The name of the parameter. has not been initialized.

Throws if is null or an empty collection.

The value to validate. The name of the parameter. is an empty collection. is null.

Throws if is null or an empty string.

The value to validate. The name of the parameter. is an empty string. is null.

Throws if is null, an empty string, or consists only of white-space characters.

The value to validate. The name of the parameter. is an empty string or consists only of white-space characters. is null.

Throws if is the default value for type .

The type of structure to validate which implements . The value to validate. The name of the parameter. is the default value for type .

Throws if is less than the or greater than the .

The type of to validate which implements . The value to validate. The minimum value to compare. The maximum value to compare. The name of the parameter.

Throws if has not been initialized; otherwise, returns .

The value to validate. The name of the parameter. has not been initialized.

Throws if is null or an empty string; otherwise, returns .

The value to validate. The name of the parameter. is an empty string. is null.

Throws if is not null.

The value to validate. The name of the parameter. The error message. is not null.

Represents a heap-based, array-backed output sink into which data can be written.

Creates an instance of an , in which data can be written to, with the default initial capacity.

Creates an instance of an , in which data can be written to, with an initial capacity specified.

The minimum capacity with which to initialize the underlying buffer. Thrown when is not positive (i.e. less than or equal to 0).

Returns the data written to the underlying buffer so far, as a .

Returns the amount of data written to the underlying buffer so far.

Returns the total amount of space within the underlying buffer.

Returns the amount of space available that can still be written into without forcing the underlying buffer to grow.

Clears the data written to the underlying buffer.

You must clear the before trying to re-use it.

Notifies that amount of data was written to the output /.

Thrown when is negative. Thrown when attempting to advance past the end of the underlying buffer. You must request a new buffer after calling Advance to continue writing more data and cannot write to a previously acquired buffer.

Returns a to write to that is at least the requested length (specified by ). If no is provided (or it's equal to 0), some non-empty buffer is returned.

Thrown when is negative. This will never return an empty . There is no guarantee that successive calls will return the same buffer or the same-sized buffer. You must request a new buffer after calling Advance to continue writing more data and cannot write to a previously acquired buffer.

Returns a to write to that is at least the requested length (specified by ). If no is provided (or it's equal to 0), some non-empty buffer is returned.

This attribute should be set on all client assemblies with value of one of the resource providers from the https://docs.microsoft.com/azure/azure-resource-manager/management/azure-services-resource-providers list.

Partial method that can optionally be defined to extract the error message, code, and details in a service specific manner.

The error content. The response headers. Additional error details.

Kind describes the relationship between the Activity, its parents, and its children in a Trace.

Default value. Indicates that the Activity represents an internal operation within an application, as opposed to an operations with remote parents or children.

Server activity represents request incoming from external component.

Client activity represents outgoing request to the external component.

Producer activity represents output provided to external components.

Consumer activity represents output received from an external component.

Until we can reference the 5.0 of System.Diagnostics.DiagnosticSource

Both and are defined as public structs so that foreach can use duck typing to call and avoid heap memory allocation. Please don't delete this method and don't make these types private.

An HttpMessageHandler which delegates SendAsync to a specified HttpPipeline.

Converts a Base64URL encoded string to a string.

The Base64Url encoded string containing UTF8 bytes for a string. The string represented by the Base64URL encoded string.

Encode a byte array as a Base64URL encoded string.

Raw byte input buffer. The bytes, encoded as a Base64URL string.

Converts a Base64URL encoded string to a string.

The Base64Url encoded string containing UTF8 bytes for a string. The string represented by the Base64URL encoded string.

Encode a string as a Base64URL encoded string.

String input buffer. The UTF8 bytes for the string, encoded as a Base64URL string.

This is a very targeted PKCS#8 decoder for use when reading a PKCS# encoded RSA private key from an DER encoded ASN.1 blob. In an ideal world, we would be able to call AsymmetricAlgorithm.ImportPkcs8PrivateKey off an RSA object to import the private key from a byte array, which we got from the PEM file. There are a few issues with this however: 1. ImportPkcs8PrivateKey does not exist in the Desktop .NET Framework as of today. 2. ImportPkcs8PrivateKey was added to .NET Core in 3.0, and we'd love to be able to support this on older versions of .NET Core. This code is able to decode RSA keys (without any attributes) from well formed PKCS#8 blobs.

Reads PEM streams to parse PEM fields or load certificates.

Loads an from PEM data.

The PEM data to parse. Optional public certificate data if not defined within the PEM data. Optional of the certificate private key. The default is to automatically detect. Only support for is implemented by shared code. Whether to create an if no private key is read. A combination of the enumeration values that control where and how to import the certificate. An loaded from the PEM data. A cryptographic exception occurred when trying to create the . is null and no CERTIFICATE field is defined in PEM, or no PRIVATE KEY is defined in PEM. The is not supported. Creating a from PEM data is not supported on the current platform.

Attempts to read the next PEM field from the given data.

The PEM data to parse. The PEM first complete PEM field that was found. True if a valid PEM field was parsed; otherwise, false. To find subsequent fields, pass a slice of past the found .

Key type of the certificate private key.

The key type is unknown.

Attempt to detect the key type.

RSA key type.

ECDsa key type.

A PEM field including its section header and encoded data.

The offset of the section from the start of the input PEM stream.

A span of the section label from within the PEM stream.

A span of the section data from within the PEM stream.

The length of the section from the .

Decodes the base64-encoded

Gets a string containing the displayable value in UserPrincipalName (UPN) format, e.g. john.doe@contoso.com. This can be null.

This property replaces the DisplayableId property of IUser in previous versions of MSAL.NET

Gets a string containing the identity provider for this account, e.g. login.microsoftonline.com.

This property replaces the IdentityProvider property of IUser in previous versions of MSAL.NET except that IdentityProvider was a URL with information about the tenant (in addition to the cloud environment), whereas Environment is only the

AccountId of the home account for the user. This uniquely identifies the user across AAD tenants.

Can be null, for example if this account was migrated to MSAL.NET from ADAL.NET v3's token cache

Returns an enumerator that iterates through the collection.

An enumerator that can be used to iterate through the collection.

Returns an enumerator that iterates through a collection.

An object that can be used to iterate through the collection.

Gets the element in the collection at the current position of the enumerator.

The element in the collection at the current position of the enumerator.