Skip to content

Update dependency Microsoft.Identity.Client to 4.85.2#546

Open
renovate[bot] wants to merge 1 commit into
developfrom
renovate/azure-ad-microsoft-authentication-library-for-dotnet-monorepo
Open

Update dependency Microsoft.Identity.Client to 4.85.2#546
renovate[bot] wants to merge 1 commit into
developfrom
renovate/azure-ad-microsoft-authentication-library-for-dotnet-monorepo

Conversation

@renovate

@renovate renovate Bot commented Jun 12, 2026

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Change Age Confidence
Microsoft.Identity.Client (source) 4.72.14.85.2 age confidence

Release Notes

AzureAD/microsoft-authentication-library-for-dotnet (Microsoft.Identity.Client)

v4.85.2

Compare Source

What's Changed

Full Changelog: AzureAD/microsoft-authentication-library-for-dotnet@4.85.1...4.85.2

v4.85.1

Compare Source

======

New Features
  • Exposed canonical OpenTelemetry tag names per metric via MsalMetricsCatalog.CanonicalTagsByMetric for discoverability and validation. #​6076

v4.85.0

Compare Source

======

New Features
  • Added WithOtelTagsEnricher extension on AbstractAcquireTokenParameterBuilder<T> to enrich OpenTelemetry tags from token acquisition results. #​6071
  • Promoted MsalServiceException.SubErrorForLogging to public for diagnostic logging of service sub-errors. #​6063
  • Added GovFr, GovDe, and GovSg values to the AzureCloudInstance enum for sovereign cloud support. #​6023
Changes
  • Migrated region discovery to the IMDS /compute JSON endpoint. #​6039
Bug Fixes
  • Excluded caller SDK telemetry headers (caller-sdk-id, caller-sdk-ver) from access token cache keys to prevent cache fragmentation. #​6073
  • Service Fabric Managed Identity now sends principalId for ObjectId and rejects ClientId/ResourceId identifiers. #​6065
  • Validated Azure region format to prevent region poisoning. #​6060
  • Fixed proactive token refresh bypassing cancellation, which could lead to unbounded semaphore waits. #​6053
  • Fall back to the home account from the request when not available elsewhere. #​5618

v4.84.2

Compare Source

======

New Features
  • Added ManagedIdentityApplication.GetManagedIdentityCapabilitiesAsync(CancellationToken) returning a ManagedIdentityCapabilities object that reports the detected managed identity Source, the host's MaxSupportedBindingStrength (new MtlsBindingStrength enum: None, Software, KeyGuard), and a derived IsMtlsPopSupportedByHost. Replaces GetManagedIdentitySourceAsync()/ManagedIdentitySourceResult. The public ManagedIdentitySource.ImdsV2 value is folded into Imds (v1/v2 routing remains internal). #​6049
  • Added OID-based user identification to the User Federated Identity Credential (user_fic) flow via AcquireTokenByUserFederatedIdentityCredential(scopes, Guid userObjectId, assertion). #​6050
  • Added WithClaimsFromClient(claimsJson) to forward client-originated claims across managed identity and confidential client flows. #​5999
  • Added mTLS PoP support for WithCertificate(() => x509) (dynamic certificate credential). #​5957
  • Added opt-in token-acquisition metrics covering both successful and failed attempts. #​6004
Changes
  • Extended mTLS bearer transport (CertificateOptions.SendCertificateOverMtls) to the OBO, refresh-token, and authorization-code flows. #​6009
  • General Availability of the Microsoft.Identity.Client.KeyAttestation package. #​6038
  • Managed identity now probes IMDSv2 first and the preview latch was removed. #​6041
  • Updated NativeInterop baseline and corrected devapp version ranges. #​6045
  • Simplified GetTenantedAuthority in CiamAuthority and DstsAuthority. #​6001
Bug Fixes
  • Fixed WithExtraQueryParameters on ManagedIdentityApplicationBuilder bypassing token caching. #​6035
  • Guarded HTTP status codes on discovery endpoints in KnownInstanceMetadataIsUpToDateAsync. #​6048
  • Detect orphaned KeyGuard certificates via public-key modulus comparison. #​6020

v4.84.1

Compare Source

What's Changed

New Features

  • Added WithReservedScopes and WithCachePartitionKey public API extensions in #​6014
  • Added IAuthenticationOperation3 interface for CDT + mTLS PoP composition in #​5996
  • Added MsalRemainingTokenLifetime histogram metric for token expiry tracking in #​5920

Changes

  • Removed [Obsolete] attribute from WithExtraBodyParameters extension method in #​6006
  • Replaced ConcurrentHashSet with ConcurrentDictionary<T, byte> in #​5975

Bug Fixes

  • Fixed WithTenantId not honoring MSA tenant GUID when specified at request level in #​5958
  • Fixed OBO cache returning multiple_matching_tokens_detected when attributed tokens share a partition in #​5993

Full Changelog: AzureAD/microsoft-authentication-library-for-dotnet@6ff7075...main (AzureAD/microsoft-authentication-library-for-dotnet@6ff7075...main)

v4.84.0

Compare Source

======

New Features
  • Added CacheOptions.DisableInternalCacheOptions static property and CacheOptions.IsInternalCacheDisabled to allow disabling MSAL's internal token cache. Added CacheRefreshReason.CacheDisabled and MsalError.InternalCacheDisabled to support this scenario. #​5947
  • Added AuthenticationResultExtensions.GetRefreshToken() extension method for accessing refresh tokens from AuthenticationResult. #​5947
  • Added WithAttributeTokens and WithExtraBodyParameters extension methods on AbstractConfidentialClientAcquireTokenParameterBuilder for enhanced extensibility. #​5888
  • Added CertificateOptions.SendCertificateOverMtls for mTLS Proof-of-Possession certificate support. #​5849
  • Added AssertionRequestOptions.CorrelationId property for correlation ID support in FIC assertion requests. #​5937
Changes
  • Removed experimental feature gate from WithClientAssertion(ClientSignedAssertion) overload. #​5945
  • Removed embedded Newtonsoft.Json dependency, migrated to System.Text.Json exclusively. #​5959
  • Removed mTLS PoP region as a hard requirement. #​5902
  • Refactored client credential material resolution. #​5835
  • Added in-process MAA token caching to PopKeyAttestor. #​5887
  • Added raw STS error code to MsalFailure metric. #​5961
  • Support forwarding MSAL client metadata headers through IMDS to ESTS. #​5912
Bug Fixes
  • Fixed eager evaluation in ConcurrentDictionary.GetOrAdd calls. #​5950
  • Fixed System.ValueTuple conditional dependency to net462 only. #​5894
  • Validated clientSignedAssertionProvider delegate is non-null in WithClientAssertion. #​5956
  • Improved MtlsPopTokenNotSupportedinImdsV1 error message clarity. #​5908
  • Added additional checks for issuer validation. #​5931

v4.83.3

Compare Source

======

New Features
  • Added support for User Federated Identity Credential (UserFIC) scenarios through the IByUserFederatedIdentityCredential interface and user_fic grant type. #​5802
Changes
  • Updated NativeInterop to version 0.20.3. #​5866
Bug Fixes
  • Fixed response handling in HttpListenerInterceptor.cs to ensure the full response is properly closed. #​5478
  • Fixed macOS detection to include maccatalyst target in desktop platform checks.#​5882
Infrastructure & Dependencies
  • Extracted reusable MSAL test infrastructure into Microsoft.Identity.Lab.API. #​5864

v4.83.1

Compare Source

======

Bug Fixes
  • Fix IMDS endpoint cache not being reset during test cleanup #​5830

v4.83.0

Compare Source

======

New Features
  • Agent Skills: Added Agent Skills catalog with complete coverage of both Confidential Client Authentication and mTLS PoP flows #​5733
  • mTLS PoP Skills Guide: Added comprehensive guide for GitHub Copilot Chat covering MSAL.NET authentication, mTLS Proof of Possession, and Federated Identity Credentials #​5790
Changes
  • Credential Guard Attestation: Integrated native DLL handling for Credential Guard attestation with centralized versioning #​5674
Bug Fixes
  • IMDSv2 mTLS Auto-Recovery: Implemented automatic recovery from SCHANNEL handshake failures by evicting cached certificates and re-minting #​5761
  • Managed Identity Fallback Behavior: Restored classic fallback behavior in MSAL MI unless GetManagedIdentitySourceAsync() is explicitly invoked #​5815
  • Attestation Token Expiration: Exposed expires_on field in attestation tokens for better token lifecycle management #​5741
  • Service Fabric API Version: Updated Service Fabric managed identity API version from 2019-07-01-preview to 2020-05-01 #​5781
  • Cached Token Validation: Enhanced ValidateCachedTokenAsync to work properly with multiple APIs beyond the initial scope #​5764
  • Client Credentials Tenant ID: Updated result to properly pass tenant ID in client credentials flow #​5754
  • Experimental Flag Removal: Removed experimental flag requirement from IAuthenticationOperation and WithAuthenticationExtension #​5699
  • OpenTelemetry Exception Handling: Expanded OTel exception handling for Azure Functions compatibility #​5720
  • ICustomWebUi Security Warning: Added security warnings to ICustomWebUi documentation #​5704
Infrastructure & Dependencies
  • GitHub Actions Workflow: Added GitHub Actions workflow for Managed Identity WebAPI automated build and deployment to Azure #​5751
  • .NET SDK Security Update: Updated .NET SDK from version 8.0.415 to 8.0.418 to address high severity security vulnerabilities #​5779 #​5783

v4.82.1

Compare Source

======

Bug Fixes
  • Remove experimental flag requirement from IAuthenticationOperation #​5699
  • Add security warning to ICustomWebUi documentation #​5704
Changes
  • Adds support for implicit mTLS (Mutual TLS) transport for client assertion delegates #​5670

v4.82.0

Compare Source

======

Highlights

This release expands extensibility for confidential-client authentication (certificates + client assertions), adds additional sovereign cloud environments, and hardens security-sensitive flows (mTLS PoP and system browser auth) with clearer validation and safer defaults.

Features
  • Certificate-based confidential client extensibility: Introduced CertificateOptions and updated WithCertificate extensibility APIs to accept it, including support for passing sendX5C configuration through the options model. (#​5655)
  • Sovereign cloud support: Added instance discovery / authority validation support for Bleu (France), Delos (Germany), and GovSG (Singapore) cloud environments. (#​5671)
  • Client assertion customization: Added WithExtraClientAssertionClaims on AcquireTokenForClientParameterBuilder to enable supplying additional signed claims in client assertions (intended for advanced scenarios and higher-level libraries). (#​5650)
  • mTLS PoP guardrails: Added validation and explicit error handling when mTLS PoP is requested for unsupported environments and/or non-login.* hosts. (#​5684)
  • System browser hardening: Added response_mode=form_post support for the default system browser (loopback) flow. MSAL will enforce form_post and process the authorization response from POST data. (#​5678)
Changes
  • Key Attestation packaging rename: Microsoft.Identity.Client.MtlsPop renamed to Microsoft.Identity.Client.KeyAttestation (assembly/package naming update). (#​5653)

v4.81.0

Compare Source

======

Bug Fixes
  • Updated the ConfidentialClientApplication's ROPC API to add WithSendX5C() during authentication requests.#​5637

v4.80.0

Compare Source

======

Features
  • Added extensibility APIs—WithCertificate, OnMsalServiceFailure, and OnCompletion—to enable callback handling for certificate injection, retry on MSAL service failure events, and completion notifications #​5573
  • Extend IAuthenticationOperation interface with Async methods in IAuthenticationOperation2 #​5376
  • Enable IAuthenticationOperation2 to reject MSAL cached tokens and fetch new ones from ESTS #​5567
Changes
  • IMDS Source Detection Logic Improvement #​5602
  • Update DesktopOsHelper.IsMac to work properly on .NET 10 + macOS 26 #​5541
Bug Fixes
  • Fix KeyNotFoundException during retry when headers lack correlation ID #​5617
  • Implement Service Exception for IMDS Probe #​5615

v4.79.2

What's Changed

Full Changelog: AzureAD/microsoft-authentication-library-for-dotnet@4.79.0...4.79.2

v4.79.1

======

Dependency Update

This hotfix release addresses compatibility between MSAL.NET and Microsoft.Identity.Web by downgrading the System.Formats.Asn1 dependency from version 9.0.8 to 8.0.1.

What Changed
  • System.Formats.Asn1 downgraded to v8.0.1 (#​5583)
    • Ensures compatibility with Microsoft.Identity.Web and other dependencies
Why This Release

MSAL.NET 4.79.0 introduced a dependency on System.Formats.Asn1 9.0.8, which created version conflicts with Microsoft.Identity.Web and other packages that require System.Formats.Asn1 8.0.1. This hotfix resolves those conflicts to maintain ecosystem compatibility.

v4.79.0

Compare Source

======

Changes
  • Managed Identity IMDSv2 and new support APIs (ResetForTest, GetSourceAsync) in #​5501
  • Bearer Requests should Fallback to IMDS in Preview in #​5562
  • Updating MSAL to send client info = 2 on client credential flow in #​5529
  • Make IMsalMtlsHttpClientFactory interface public in #​5559* Adjust WithExtraQueryParameters APIs and cache key behavior #​5536
Bug fixes
  • Fix instance discovery bug in Fr cloud #​5549
  • Mark WithClientAssertion API as experimental #​5551

v4.78.0

Compare Source

======

Changes
  • Update SDK version from 8.0.404 to 8.0.415. #​5543
  • Hide / deprecate some obscure APIs. #​5484
Bug Fixes
  • Support Android edge-to-edge. #​5499
  • Android broker does not support ADFS authority. #​5522

v4.77.1

Compare Source

======

  • Adjusted issuer validation to accept differing paths #​5466
  • Added better error message for OIDC error #​5433
  • Reverted changes made for Http2 #​5462

v4.77.0

Compare Source

======

Features
  • Added WinUI 3 support for Desktop Broker flows. #​5411
  • Introduced extensibility API to allow users to add custom HTTP headers to token acquisition requests (under extensibility). #​5440
Changes
  • Remove passing x-client-os as a query parameter in the authorization URI. #​5456
  • Bump Microsoft.IdentityModel.Abstractions to a supported version. #​5452
Bug fixes
  • Remove confusing error text as it only applies to one of many possible causes. #​5467

v4.76.0

Compare Source

======

New Features
  • Removal of ExperimentalFeatures flag on WithMtlsProofOfPossession API
  • Add Service Fabric token revocation support
  • Adding WithExtraBodyParameters api
  • Enable mTLS Proof‑of‑Possession for Client‑Assertion Delegates
Bug Fixes
  • #​5400 Fixing issue that leads to multiple active access tokens in the cache for non-tenanted oidc authority
  • Update NativeInterop package version to 0.19.4

v4.75.0

Compare Source

v4.74.1

Compare Source

======

Bug fixes
  • When you configure MSAL with WithOidcAuthority(), the library now confirms that the issuer returned by the OIDC discovery endpoint matches the expected authority (including CIAM patterns) and throws an exception if it does not. #​5358

  • Re-expose public AuthenticationResult constructor. A public, test-friendly constructor of AuthenticationResult was inadvertently hidden behind [Obsolete] and [EditorBrowsable(Never)]. The constructor is now publicly available again. #​5392

v4.74.0

Compare Source

======

Features
  • Deprecate ROPC flow in Public Client Applications #​5355.
  • AuthenticationResult exposes a new BindingCertificate property that returns the X.509 certificate bound to the access token in mTLS-PoP scenarios. #​5370.
Bug fixes
  • MSAL now honors the DEFAULT_IDENTITY_CLIENT_ID environment variable when acquiring tokens from Azure Machine Learning managed-identity endpoint. #​5350.

v4.73.1

Compare Source

======

Features
  • Deprecate AcquireTokenByIntegratedWindowsAuth API in #​5345
Bug fixes
  • Update native interop to 0.19.2 by @​fengga in #​5362 to solve broker bugs
  • update the deprecated openURL(:) api to openURL(:options:completionHandler) in #​5354

v4.73.0

Compare Source

=======

Features
  • Add mac broker console app support in #​5274
  • Use HTTP 2 on .NET where possible in #​5314
  • Expose access token cache count in #​5330
  • Add an extensibility API - WithFmiPathForClientAssertion in #​5347
Bug Fixes
  • Hide ListOperatingSystemAccounts in intellisense in #​5304
  • Reworked retry policy functionality & Created IMDS retry policy in #​5231

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate Bot added the dependencies Pull requests that update a dependency file label Jun 12, 2026
@renovate renovate Bot requested a review from pascalberger as a code owner June 12, 2026 00:42
@renovate renovate Bot added the dependencies Pull requests that update a dependency file label Jun 12, 2026
@renovate renovate Bot changed the title Update azure-ad-microsoft-authentication-library-for-dotnet monorepo to 4.84.2 Update azure-ad-microsoft-authentication-library-for-dotnet monorepo to 4.85.0 Jun 19, 2026
@renovate renovate Bot force-pushed the renovate/azure-ad-microsoft-authentication-library-for-dotnet-monorepo branch from bfadfbf to 33954d3 Compare June 19, 2026 08:00
@renovate renovate Bot changed the title Update azure-ad-microsoft-authentication-library-for-dotnet monorepo to 4.85.0 Update azure-ad-microsoft-authentication-library-for-dotnet monorepo Jun 22, 2026
@renovate renovate Bot force-pushed the renovate/azure-ad-microsoft-authentication-library-for-dotnet-monorepo branch from 33954d3 to ae1f5d8 Compare June 23, 2026 10:05
@renovate renovate Bot changed the title Update azure-ad-microsoft-authentication-library-for-dotnet monorepo Update dependency Microsoft.Identity.Client to 4.85.1 Jun 25, 2026
@renovate renovate Bot force-pushed the renovate/azure-ad-microsoft-authentication-library-for-dotnet-monorepo branch from ae1f5d8 to fa23f44 Compare June 26, 2026 16:01
@renovate renovate Bot changed the title Update dependency Microsoft.Identity.Client to 4.85.1 Update dependency Microsoft.Identity.Client to 4.85.2 Jun 26, 2026
@renovate renovate Bot force-pushed the renovate/azure-ad-microsoft-authentication-library-for-dotnet-monorepo branch from fa23f44 to 70e05f2 Compare July 4, 2026 22:43
@renovate renovate Bot force-pushed the renovate/azure-ad-microsoft-authentication-library-for-dotnet-monorepo branch from 70e05f2 to e4a165d Compare July 4, 2026 23:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file stop-updating

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant