4.82.1

Bug Fixes

• Remove experimental flag requirement from IAuthenticationOperation #5699
• Add security warning to ICustomWebUi documentation #5704

Changes

• Adds support for implicit mTLS (Mutual TLS) transport for client assertion delegates #5670

4.82.0

4.82.0

Highlights

This release expands extensibility for confidential-client authentication (certificates + client assertions), adds additional sovereign cloud environments, and hardens security-sensitive flows (mTLS PoP and system browser auth) with clearer validation and safer defaults.

Features

• Certificate-based confidential client extensibility: Introduced CertificateOptions and updated WithCertificate extensibility APIs to accept it, including support for passing sendX5C configuration through the options model. (#5655)
• Sovereign cloud support: Added instance discovery / authority validation support for Bleu (France), Delos (Germany), and GovSG (Singapore) cloud environments. (#5671)
• Client assertion customization: Added WithExtraClientAssertionClaims on AcquireTokenForClientParameterBuilder to enable supplying additional signed claims in client assertions (intended for advanced scenarios and higher-level libraries). (#5650)
• mTLS PoP guardrails: Added validation and explicit error handling when mTLS PoP is requested for unsupported environments and/or non-login.* hosts. (#5684)
• System browser hardening: Added response_mode=form_post support for the default system browser (loopback) flow. MSAL will enforce form_post and process the authorization response from POST data. (#5678)

Changes

• Key Attestation packaging rename: Microsoft.Identity.Client.MtlsPop renamed to Microsoft.Identity.Client.KeyAttestation (assembly/package naming update). (#5653)

4.81.0

What's Changed

• Expose API SendX5C from ROPC CCA flow by @neha-bhargava in #5635
• Refactor and simplify Microsoft.Identity.Test.LabInfrastructure by @Avery-Dunn in #5631
• Remove Headers from MsalServiceException.ToString() to prevent logging sensitive data by @Copilot in #5642

Full Changelog: 4.80.0...4.81.0

4.80.0

Features

• Added extensibility APIs—WithCertificate, OnMsalServiceFailure, and OnCompletion—to enable callback handling for certificate injection, retry on MSAL service failure events, and completion notifications #5573
• Extend IAuthenticationOperation interface with Async methods in IAuthenticationOperation2 #5376
• Enable IAuthenticationOperation2 to reject MSAL cached tokens and fetch new ones from ESTS #5567

Changes

• IMDS Source Detection Logic Improvement #5602
• Update DesktopOsHelper.IsMac to work properly on .NET 10 + macOS 26 #5541

Bug Fixes

• Fix KeyNotFoundException during retry when headers lack correlation ID #5617
• Implement Service Exception for IMDS Probe #5615

4.79.2

What's Changed

• Bump winsdk dependency by @bgavrilMS in #5575
• ImdsV2 probe does not fire when .WithMtlsProofOfPossesstion is not used by @Robbie-Microsoft in #5579
• Downgrade System.Formats.Asn1 to match ID web by @Avery-Dunn in #5583

Full Changelog: 4.79.0...4.79.2

4.79.0

What's Changed

• Fix instance discovery bug 5546 by @bgavrilMS in #5549
• Managed Identity IMDSv2 and new support APIs (ResetForTest, GetSourceAsync) by @Robbie-Microsoft in #5501
• Bearer Requests should Fallback to IMDS in Preview by @gladjohn in #5562
• Updating MSAL to send client info = 2 on client credential flow by @trwalke in #5529
• Make IMsalMtlsHttpClientFactory interface public by @cpp11nullptr in #5559
• Mark WithClientAssertion API as experimental by @gladjohn in #5551
• Adjust WithExtraQueryParameters APIs and cache key behavior by @Avery-Dunn in #5536

Full Changelog: 4.78.0...4.79.0

4.78.0

Changes

• Update SDK version from 8.0.404 to 8.0.415. #5543
• Hide / deprecate some obscure APIs. #5484

Bug Fixes

• Support Android edge-to-edge. #5499
• Android broker does not support ADFS authority. #5522

4.77.1

What's Changed

• Fix prototype code to address CodeQL by @bgavrilMS in #5472
• Update CHANGELOG.md for MSAL 4.77.0 by @gladjohn in #5473
• Mark project as AOT compatible for net 8 by @neha-bhargava in #5458
• Update public api for MSAL Release 4.77.0 by @gladjohn in #5471
• Adjust issuer validation to accept differing paths by @Avery-Dunn in #5466
• Added better error message for OIDC error by @trwalke in #5433
• Remove failing test project from solution to prevent build breaks. by @MZOLN in #5481
• Fix MSB3277 “WindowsBase” conflicts in dev apps by enabling WPF build ref by @gladjohn in #5482
• Remove some flaky tests that were just an overkill by @gladjohn in #5486
• Remove dupe ropc b2c tests by @gladjohn in #5487
• Revert changes made for Http2 by @neha-bhargava in #5462

Full Changelog: 4.77.0...4.77.1

4.77.0

Features

• Added WinUI 3 support for Desktop Broker flows. #5411
• Introduced extensibility API to allow users to add custom HTTP headers to token acquisition requests (under extensibility). #5440

Changes

• Remove passing x-client-os as a query parameter in the authorization URI. #5456
• Bump Microsoft.IdentityModel.Abstractions to a supported version. #5452

Bug fixes

• Remove confusing error text as it only applies to one of many possible causes. #5467

4.76.0

What's Changed

• Removal of ExperimentalFeatures flag on WithMtlsProofOfPossession API: by @gladjohn in #5402
• #5400 Fixing issue that leads to multiple active access tokens in the cache for non-tenanted oidc authority by @andkorsh in #5401
• Add Service Fabric token revocation support by @gladjohn in #5421
• Update NativeInterop package version to 0.19.4 by @ashok672 in #5434
• Adding WithExtraBodyParameters api by @trwalke in #5389
• Enable mTLS Proof‑of‑Possession for Client‑Assertion Delegates by @gladjohn in #5409

New Contributors

• @andkorsh made their first contribution in #5401

Full Changelog: 4.74.1...4.76.0