Labmigration #5558
Merged
Labmigration #5558
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
- Enhanced LabUserHelper with GetKVLabData and MergeKVLabData methods for direct Key Vault access - Added multi-secret merging system combining MSAL-User-Default-JSON, ID4SLAB1, and MSAL-App-Default-JSON - Updated FetchUserPassword to use KeyVaultSecretsProviderMsid for direct password retrieval - Extended FederationProvider enum with ADFSv2022 support, removed adfs2019 - Implemented comprehensive ObjectId validation against Azure AD source of truth - Fixed ByRefreshTokenTestAsync failure by correcting ObjectId mismatch in Key Vault secrets - All user and app ObjectIds now verified and aligned between Key Vault and Azure AD - Key Vault integration fully functional with 14/18 tests passing (4 failures due to Azure AD app consent/registration issues) - Complete migration from lab service API dependency to direct Azure Key Vault access
- Updated LabUserHelper with GetKVLabData and MergeKVLabData methods for complete Key Vault integration - Modified TestConstants to use new app ID and Key Vault secret names - Updated ConfidentialAppSettings to use ID4S Key Vault and new app configuration - Changed OnBehalfOfTests and LongRunningOnBehalfOfTests to use new app ID and default user method - All test configurations now point to consolidated app ID 54a2d933-8bf8-483b-a8f8-0a31924f3c1f - Key Vault integration successfully retrieves and merges secrets from multiple vaults - Assigned LabVaultAccess_UAMI to SLVM build agent for MI E2E test support
- Add comprehensive debug logging to LabUserHelper for user/app/lab retrieval tracking - Create GetDefaultAdfsUserAsync() method using MSAL-USER-FedDefault-JSON Key Vault secret - Update OnBehalfOfTests to use GetDefaultUserAsync()/GetDefaultUser2Async() instead of hardcoded emails - Standardize ADFS test method names (remove version-specific naming) - Add TLS 1.3 configuration for ADFS 2022 connectivity in integration tests - Update all ADFS tests to use new GetDefaultAdfsUserAsync() method - Improve error handling and diagnostics throughout lab infrastructure
…orrect method names and lab helper calls
…ests.NetFwk.cs with all original tests and enhanced LabUserHelper calls
… keeping main branch test structure
…lab API - resolves idlab1@msidlab4 user issue
- Updated all user references from msidlab4.onmicrosoft.com to id4slab1.onmicrosoft.com - Updated UserQueryParameters.cs with new user UPNs (MSAL-User-Default, MSAL-User-Default2, MSAL-User-XCG) - Enhanced CacheExecutionTests.cs to use LabUserHelper.GetDefaultUserAsync() instead of old lab API - Updated all unit test data in JsonHelperTests.cs, IdTokenParsingTests.cs, AADTestData.txt, UnifiedSchemaValidationTests.cs - Updated RuntimeBrokerTests.cs POP user references to [email protected] - Updated dev app references in NetWSLWam, MSIX README, and MauiApp - Migrated all federation metadata from fs.msidlab4.com to fs.id4slab1.com - Updated MSIX README to reference Azure Portal Key Vault link for password retrieval - All changes align with LabMigration Key Vault approach using enhanced LabUserHelper methods
- Fix UnifiedSchemaValidationTests to expect lowercase usernames iOS cache key generation applies ToLowerInvariant() which converts usernames to lowercase, updated test expectations accordingly - Customize IdTokenParsingTests with msal-user-default values Added new CreateAadTestTokenResponseWithMsalUserDefault() method to TestConstants.cs with custom JWT payload containing desired test values instead of real idlab token data - All previously failing tests now pass (23 passed, 1 skipped) Fixes test compatibility issues and provides custom test scenarios as requested for improved test coverage and maintenance.
Update CacheExecutionTests.cs to use new lab infrastructure API: - Changed labUser.Upn to labUser.User.Upn - Changed labUser.GetOrFetchPassword() to labUser.User.GetOrFetchPassword() - Changed labUser.AppId to labUser.App.AppId - Changed labUser.TenantId to labUser.User.TenantId This aligns with the lab migration changes where properties are now accessed through User and App objects instead of directly on LabResponse.
- Updated ConfidentialAppSettings.cs with new tenant ID (10c419d4-4a50-45b2-aa4e-919fb84df24f) and client ID (54a2d933-8bf8-483b-a8f8-0a31924f3c1f) - Updated TestConstants.cs to use id4slab1 tenant for confidential client tests - Updated ClientCredentialsTests.WithRegion.cs to use new tenant and client configurations - Updated OnBehalfOfTests.cs to use migrated tenant settings - Updated PoPTests.NetFwk.cs to use new confidential client configuration Migration results: 90/150 tests passing (60% success rate) with core authentication scenarios working. Remaining issues: Some OBO tests failing with AADSTS7000218 errors requiring KeyVault secret configuration.
- Fix OnBehalfOfTests regional test configuration to use migrated ID4SLAB1 tenant - Update LongRunningOnBehalfOfTests scope from legacy to current OBO service - Configure MSAL-APP-AzureADMultipleOrgs secret for migrated app authentication - Enable public client flows for username/password authentication scenarios - Add proper Azure AD permissions for OBO service access_as_user delegated permissions All 14 OBO integration tests now pass (100% success rate, up from 14% initially) PoP tests also fixed with proper client secret configuration
- Updated AcquireTokenFromAdfsUsernamePasswordAsync to use GetDefaultAdfsUserAsync() and new ADFS 2022 infrastructure - Updated ROPC_ADFSv4Federated_Async to use dynamic lab response instead of hardcoded constants - Migrated ConfidentialAppSettings to use new fs.id4slab1.com authority and dynamic app configuration - Updated Selenium interactive tests to use new ADFS authority with validation disabled - All ADFS tests now pass consistently with Fed1-only load balancer configuration - Fixes intermittent SSL handshake failures by using stable ADFS 2022 infrastructure
- Fixes compilation error in IdTokenParsingTests.cs - Adds method to create token response with MSAL User Default user data - Uses ID4SLAB1 tenant information matching the new infrastructure - Method follows same pattern as other CreateAadTestTokenResponse methods
- Changed ConfidentialClientID from single-tenant app (35dc5034-9b65-4a5d-ad81-73cca468c1e0) to multi-tenant app (54a2d933-8bf8-483b-a8f8-0a31924f3c1f) - Resolves AADSTS700016 'Application not found in directory' errors when using /common authority - Multi-tenant app can handle both /common and tenant-specific authorities properly - Uses same LabAuth certificate for authentication
- Updated GetTokenByAuthCode_HybridSPA_Async to use ConfidentialClientID instead of labResponse.App.AppId - Removed trailing whitespace to prevent merge conflicts - This should resolve AADSTS700016 errors in the HybridSPA test
- Updated commented tenant ID references to match the corrected tenant - Ensures consistency in both active and commented code sections
- Updated DeviceCodeFlowTestAsync and SilentTokenAfterDeviceCodeFlowWithBrokerTestAsync - Changed from default /common authority to tenant-specific authority using labResponse.User.TenantId - Resolves AADSTS50059 errors when using single-tenant apps with device code flow - Applies to both regular and broker-enabled device code scenarios
…de flow tests - Added LabUserHelper.GetDefaultUserWithMultiTenantAppAsync() using MSAL-APP-AzureADMultipleOrgs KeyVault secret - Updated DeviceCodeFlowTestAsync and SilentTokenAfterDeviceCodeFlowWithBrokerTestAsync to use new method - Removed hardcoded PublicClientID constant in favor of proper LabResponse pattern - Now uses labResponse.App.AppId which contains multi-tenant app 54a2d933-8bf8-483b-a8f8-0a31924f3c1f - Resolves AADSTS50059 errors by using multi-tenant app that supports /common authority - Follows same pattern as other LabUserHelper methods for consistency
- Add GetDefaultUserWithMultiTenantAppAsync() method to LabUserHelper - Update ConfidentialClientAuthorizationTests to use multi-tenant app - Create MSAL-APP-AzureADMultipleOrgs-JSON KeyVault secret with proper JSON structure - Replace hardcoded app IDs with multi-tenant app ID 54a2d933-8bf8-483b-a8f8-0a31924f3c1f - Resolves tenant routing issues with /common authority endpoint The multi-tenant app (AzureADMultipleOrgs) is compatible with /common authority, eliminating AADSTS700016 tenant routing conflicts that were causing test failures.
- Update InteractiveFlowTests.NetFwk.cs Interactive_AADAsync to use GetDefaultUserWithMultiTenantAppAsync - Update PoPTests.NetFwk.cs ROPC_PopTestWithRSAAsync to use GetDefaultUserWithMultiTenantAppAsync - Resolves AADSTS50194 errors for tests using /common endpoint with single-tenant app - Ensures consistent multi-tenant app usage across all affected tests
- Update InteractiveFlowTests ValidateCcsHeadersForInteractiveAuthCodeFlowAsync - Update InstanceDiscoveryIntegrationTests FailedAuthorityValidationTestAsync - Update InstanceDiscoveryIntegrationTests AuthorityValidationTestWithFalseValidateAuthorityAsync - All tests using /common endpoint now use multi-tenant app configuration - Prevents AADSTS50194 errors for single-tenant app + /common authority mismatch
- Updated OnBehalfOfTests.cs and LongRunningOnBehalfOfTests.cs to use multi-tenant app configuration - Refined ConfidentialClientAuthorizationTests.cs and InteractiveFlowTests.NetFwk.cs - Added pipeline log analysis file (60.txt) for debugging reference - All AADSTS errors resolved through systematic multi-tenant app migration - Verified test integrity preserved during lab infrastructure migration
- Changed Interactive_AADAsync to use GetDefaultUserAsync() instead of GetDefaultUserWithMultiTenantAppAsync() - Fixed InteractiveConsentPromptAsync to use default app - Fixed ValidateCcsHeadersForInteractiveAuthCodeFlowAsync to use default app - Interactive tests should use public client apps, not the multi-tenant confidential app - This resolves AADSTS7000218 errors (missing client_secret for confidential clients)
bgavrilMS
reviewed
Nov 3, 2025
…c client multi-tenant app - Changed Interactive_AADAsync test to use MSAL-APP-AzureADMultipleOrgsPC-JSON instead of MSAL-APP-AzureADMultipleOrgs-JSON - The original multi-tenant app has both password and certificate credentials configured, which requires client secrets even with isFallbackPublicClient=true - The new app (MSAL-APP-AzureADMultipleOrgsPC-JSON) is a pure public client without credentials, avoiding the AADSTS7000218 error - Only modified the specific failing test, leaving other tests unchanged
- Replace dynamic port selection with fixed http://localhost:52073 - Port 52073 is already configured in pure public client app registration - Eliminates random redirect URI mismatch failures in pipeline - Test logic remains unchanged, only fixes configuration issue
…eAuthCodeFlowAsync tests - Updated both tests to use MergeKVLabDataAsync with pure public client app (MSAL-APP-AzureADMultipleOrgsPC-JSON) - Replaced dynamic port selection with fixed redirect URI (localhost:52073) - Eliminates AADSTS7000218 errors from using app with credentials in public client flows - Consistent with successful Interactive_AADAsync fix pattern
- Updated WamUsernamePasswordWithForceRefreshAsync, WamUsernamePasswordPopTokenEnforcedWithCaOnValidResourceAsync, and WamUsernamePasswordPopTokenEnforcedWithCaOnInValidResourceAsync to use MergeKVLabDataAsync with MSAL-APP-AzureADMultipleOrgsPC-JSON instead of MSAL-App-Default-JSON - This eliminates AADSTS7000218 'client_assertion or client_secret required' errors by using a pure public client app without credentials - Added WAM-specific redirect URIs to pure public client app (ae585197-25c5-423b-be00-49175b144fd7) - Consistent with earlier Selenium test fixes using same pure public client pattern
- Updated Selenium interactive tests (Interactive_AADAsync, InteractiveConsentPromptAsync, ValidateCcsHeadersForInteractiveAuthCodeFlowAsync) to use MergeKVLabDataAsync with MSAL-APP-AzureADMultipleOrgsPC-JSON - Fixed WAM broker tests to use same pure public client app pattern - Eliminates AADSTS7000218 'client_assertion or client_secret required' errors - Enabled SharePoint Online service principal in tenant to fix SharePoint-related test failures - All tests now use consistent pure public client app configuration without credentials
- Updated WamUsernamePasswordPopTokenEnforcedWithCaOnValidResourceAsync to use MSAL-User-POP-JSON - Updated WamUsernamePasswordPopTokenEnforcedWithCaOnInValidResourceAsync to use MSAL-User-POP-JSON - Both tests now use matching credentials ([email protected]) for proper authentication - Resolves credential mismatch that was causing test failures during migration from msidlab4 to id4slab1 tenant
Resolves RuntimeBrokerTests failures during msidlab4 -> id4slab1 migration: 1. Fixed Key Vault secret references: - Corrected typo: ID4SLab1 -> ID4SLAB1 - Updated JSON structure to use nested format with 'user' wrapper 2. Fixed Conditional Access policy targeting mismatch: - CA policy in id4slab1 targets Office 365 Exchange Online (00000002-0000-0ff1-ce00-000000000000) - Changed test scope from 'user.read' (Microsoft Graph) to 'https://outlook.office365.com/Mail.Read' (Exchange Online) - Updated test comments to reflect Exchange Online instead of SharePoint Online The WamUsernamePasswordPopTokenEnforcedWithCaOnInValidResourceAsync test now correctly throws MsalUiRequiredException when requesting POP tokens for resources covered by the CA policy, validating proper token protection enforcement. Both POP token CA policy tests now pass successfully in the new lab environment.
neha-bhargava
approved these changes
Nov 14, 2025
Contributor
neha-bhargava
left a comment
neha-bhargava
left a comment
There was a problem hiding this comment.
Looks good. You might want to reevaluate TODOs added to the code and consolidate them
Avery-Dunn
approved these changes
Nov 14, 2025
trwalke
reviewed
Nov 14, 2025
tests/Microsoft.Identity.Test.Integration.netcore/HeadlessTests/PoPTests.NetFwk.cs
Show resolved
Hide resolved
trwalke
reviewed
Nov 14, 2025
trwalke
reviewed
Nov 14, 2025
gladjohn
approved these changes
Nov 17, 2025
Contributor
gladjohn
left a comment
gladjohn
left a comment
There was a problem hiding this comment.
looks good @RyAuld. But I would specify a comment next to each app id to which tenant it belongs to.
for e.,g.
public const string ClientCredentialAudience = "https://login.microsoftonline.com/10c419d4-4a50-45b2-aa4e-919fb84df24f/v2.0"; //Idlabs1
public const string PublicCloudConfidentialClientID = "54a2d933-8bf8-483b-a8f8-0a31924f3c1f"; //Idlabs1
- Added app name 'MSAL-APP-AzureADMultipleOrgs' and 'ID4SLAB1 tenant' comments to migrated GUIDs - Added 'MSIDLAB4 tenant (legacy)' comments to legacy GUIDs for clarity - Addresses Gladwin's PR feedback to document GUID purposes for better code readability Files updated: - TestConstants.cs: Added comments to ClientCredentialAudience and PublicCloudConfidentialClientID - ConfidentialAppSettings.cs: Added comments to both new ID4SLAB1 and legacy MSIDLAB4 GUIDs - FmiIntegrationTests.cs: Updated legacy tenant ID comment
Contributor
Author
Added comment to all GUIDs used for apps and tenant. |
gladjohn
approved these changes
Nov 17, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Overview
This PR represents a comprehensive migration to modernize the lab infrastructure used for authentication testing in MSAL.NET. The migration moves from legacy lab APIs to a new Key Vault-based approach for improved security, reliability, and maintainability.
🎯 Migration Goals
Security: Transition from legacy lab API to secure Key Vault-based credential management
Reliability: Improve test infrastructure stability and reduce external dependencies
Maintainability: Modernize codebase with enhanced debugging and error handling
Compatibility: Ensure seamless integration with existing test frameworks
🔧 Key Changes
Infrastructure Modernization
✅ Complete migration to new lab infrastructure
✅ Key Vault integration for secure credential management
✅ Enhanced LabUserHelper methods with improved error handling
✅ ADFS 2022 support and expanded authentication scenarios
Test Framework Improvements
✅ Username/Password integration tests updated with new lab methods
✅ OnBehalfOf tests migrated to Key Vault approach
✅ Hybrid SPA account handling fixes for idlab1@msidlab4 user scenarios
✅ Debug logging enhancements for better troubleshooting
Quality Assurance
✅ Fixed failing unit tests related to iOS cache key generation
✅ Custom JWT token scenarios for improved test coverage
✅ ObjectId validation in Key Vault operations
✅ Vault reference updates from buildautomation to ID4sKeyVault
🧪 Testing Strategy
The migration maintains backward compatibility while introducing modern practices:
All existing test scenarios preserved and enhanced
New Key Vault-based authentication flows validated
iOS cache key generation compatibility verified
Custom test token scenarios for reduced external dependencies
📈 Benefits
🔒 Enhanced Security: Key Vault-based credential management
⚡ Improved Performance: Reduced reliance on external lab APIs
🛠️ Better Debugging: Enhanced logging and error reporting
🔄 Future-Ready: Modern infrastructure supporting ongoing development
✅ Quality Assurance: All tests passing with improved reliability
🚀 Migration Status
Core infrastructure migration completed
Key Vault integration implemented
Test framework updates applied
Unit test compatibility issues resolved
Integration test scenarios validated
Debug and logging improvements deployed