New Features

• Added ManagedIdentityApplication.GetManagedIdentityCapabilitiesAsync(CancellationToken) returning a ManagedIdentityCapabilities object that reports the detected managed identity Source, the host's MaxSupportedBindingStrength (new MtlsBindingStrength enum: None, Software, KeyGuard), and a derived IsMtlsPopSupportedByHost. Replaces GetManagedIdentitySourceAsync()/ManagedIdentitySourceResult. The public ManagedIdentitySource.ImdsV2 value is folded into Imds (v1/v2 routing remains internal). #6049
• Added OID-based user identification to the User Federated Identity Credential (user_fic) flow via AcquireTokenByUserFederatedIdentityCredential(scopes, Guid userObjectId, assertion). #6050
• Added WithClaimsFromClient(claimsJson) to forward client-originated claims across managed identity and confidential client flows. #5999
• Added mTLS PoP support for WithCertificate(() => x509) (dynamic certificate credential). #5957
• Added opt-in token-acquisition metrics covering both successful and failed attempts. #6004

Changes

• Extended mTLS bearer transport (CertificateOptions.SendCertificateOverMtls) to the OBO, refresh-token, and authorization-code flows. #6009
• General Availability of the Microsoft.Identity.Client.KeyAttestation package. #6038
• Managed identity now probes IMDSv2 first and the preview latch was removed. #6041
• Updated NativeInterop baseline and corrected devapp version ranges. #6045
• Simplified GetTenantedAuthority in CiamAuthority and DstsAuthority. #6001

Bug Fixes

• Fixed WithExtraQueryParameters on ManagedIdentityApplicationBuilder bypassing token caching. #6035
• Guarded HTTP status codes on discovery endpoints in KnownInstanceMetadataIsUpToDateAsync. #6048
• Detect orphaned KeyGuard certificates via public-key modulus comparison. #6020

What's Changed

New Features

• Added WithReservedScopes and WithCachePartitionKey public API extensions in #6014
• Added IAuthenticationOperation3 interface for CDT + mTLS PoP composition in #5996
• Added MsalRemainingTokenLifetime histogram metric for token expiry tracking in #5920

Changes

• Removed [Obsolete] attribute from WithExtraBodyParameters extension method in #6006
• Replaced ConcurrentHashSet with ConcurrentDictionary<T, byte> in #5975

Bug Fixes

• Fixed WithTenantId not honoring MSA tenant GUID when specified at request level in #5958
• Fixed OBO cache returning multiple_matching_tokens_detected when attributed tokens share a partition in #5993

Full Changelog: 6ff7075...main (6ff7075...main)

What's Changed

New Features

• Remove embedded Newtonsoft.Json, migrate to System.Text.Json exclusively in #5959
• Expose refresh token via extension and add CacheOptions.DisableInternalCache in #5947
• Added support for WithAttributeTokens in #5888
• Feature: mTLS Bearer via CertificateOptions.SendCertificateOverMtls in #5849
• Remove experimental feature gate from WithClientAssertion(ClientSignedAssertion) overload in #5945
• Support forwarding MSAL client metadata headers through IMDS to ESTS in #5912
• Add CorrelationId to AssertionRequestOptions for FIC in #5937
• Add raw STS error code to MsalFailure metric in #5961

Bug Fixes

• Fix: make System.ValueTuple conditional on net462 only in #5906
• Fix eager evaluation in ConcurrentDictionary.GetOrAdd calls in #5950
• Validate clientSignedAssertionProvider delegate is non-null in WithClientAssertion in #5956
• Improve MtlsPopTokenNotSupportedInImdsV1 error message clarity in #5908
• Added more checks for issuer validation in #5931

Improvements

• Remove region as hard requirement for mTLS PoP flows in #5902
• Add in-process MAA token caching to PopKeyAttestor in #5887
• Refactor client credential material resolution in #5835

Dependencies Updates

• Bump OpenTelemetry version in #5960

Full Changelog: 4.83.3...cb59f84 (4.83.3...cb59f84)

New Features

• Added support for User Federated Identity Credential (UserFIC) scenarios through the IByUserFederatedIdentityCredential interface and user_fic grant type. #5802

Changes

• Updated NativeInterop to version 0.20.3. #5866

Bug Fixes

• Fixed response handling in HttpListenerInterceptor.cs to ensure the full response is properly closed. #5478
• Fixed macOS detection to include maccatalyst target in desktop platform checks.#5882

Infrastructure & Dependencies

• Extracted reusable MSAL test infrastructure into Microsoft.Identity.Lab.API. #5864

Bug Fixes

• Fixed IMDS endpoint cache not being reset during test cleanup #5830

New Features

• Agent Skills: Added Agent Skills catalog with complete coverage of both Confidential Client Authentication and mTLS PoP flows #5733
• mTLS PoP Skills Guide: Added comprehensive guide for GitHub Copilot Chat covering MSAL.NET authentication, mTLS Proof of Possession, and Federated Identity Credentials #5790

Changes

• Credential Guard Attestation: Integrated native DLL handling for Credential Guard attestation with centralized versioning #5674

Bug Fixes

• IMDSv2 mTLS Auto-Recovery: Implemented automatic recovery from SCHANNEL handshake failures by evicting cached certificates and re-minting #5761
• Managed Identity Fallback Behavior: Restored classic fallback behavior in MSAL MI unless GetManagedIdentitySourceAsync() is explicitly invoked #5815
• Attestation Token Expiration: Exposed expires_on field in attestation tokens for better token lifecycle management #5741
• Service Fabric API Version: Updated Service Fabric managed identity API version from 2019-07-01-preview to 2020-05-01 #5781
• Cached Token Validation: Enhanced ValidateCachedTokenAsync to work properly with multiple APIs beyond the initial scope #5764
• Client Credentials Tenant ID: Updated result to properly pass tenant ID in client credentials flow #5754
• Experimental Flag Removal: Removed experimental flag requirement from IAuthenticationOperation and WithAuthenticationExtension #5699
• OpenTelemetry Exception Handling: Expanded OTel exception handling for Azure Functions compatibility #5720
• ICustomWebUi Security Warning: Added security warnings to ICustomWebUi documentation #5704

Infrastructure & Dependencies

• GitHub Actions Workflow: Added GitHub Actions workflow for Managed Identity WebAPI automated build and deployment to Azure #5751
• .NET SDK Security Update: Updated .NET SDK from version 8.0.415 to 8.0.418 to address high severity security vulnerabilities #5779 #5783

Bug Fixes

• Remove experimental flag requirement from IAuthenticationOperation #5699
• Add security warning to ICustomWebUi documentation #5704

Changes

• Adds support for implicit mTLS (Mutual TLS) transport for client assertion delegates #5670

4.82.0

Highlights

This release expands extensibility for confidential-client authentication (certificates + client assertions), adds additional sovereign cloud environments, and hardens security-sensitive flows (mTLS PoP and system browser auth) with clearer validation and safer defaults.

Features

• Certificate-based confidential client extensibility: Introduced CertificateOptions and updated WithCertificate extensibility APIs to accept it, including support for passing sendX5C configuration through the options model. (#5655)
• Sovereign cloud support: Added instance discovery / authority validation support for Bleu (France), Delos (Germany), and GovSG (Singapore) cloud environments. (#5671)
• Client assertion customization: Added WithExtraClientAssertionClaims on AcquireTokenForClientParameterBuilder to enable supplying additional signed claims in client assertions (intended for advanced scenarios and higher-level libraries). (#5650)
• mTLS PoP guardrails: Added validation and explicit error handling when mTLS PoP is requested for unsupported environments and/or non-login.* hosts. (#5684)
• System browser hardening: Added response_mode=form_post support for the default system browser (loopback) flow. MSAL will enforce form_post and process the authorization response from POST data. (#5678)

Changes

• Key Attestation packaging rename: Microsoft.Identity.Client.MtlsPop renamed to Microsoft.Identity.Client.KeyAttestation (assembly/package naming update). (#5653)

What's Changed

• Expose API SendX5C from ROPC CCA flow by @neha-bhargava in #5635
• Refactor and simplify Microsoft.Identity.Test.LabInfrastructure by @Avery-Dunn in #5631
• Remove Headers from MsalServiceException.ToString() to prevent logging sensitive data by @Copilot in #5642

Full Changelog: 4.80.0...4.81.0

Features

• Added extensibility APIs—WithCertificate, OnMsalServiceFailure, and OnCompletion—to enable callback handling for certificate injection, retry on MSAL service failure events, and completion notifications #5573
• Extend IAuthenticationOperation interface with Async methods in IAuthenticationOperation2 #5376
• Enable IAuthenticationOperation2 to reject MSAL cached tokens and fetch new ones from ESTS #5567

Changes

• IMDS Source Detection Logic Improvement #5602
• Update DesktopOsHelper.IsMac to work properly on .NET 10 + macOS 26 #5541

Bug Fixes

• Fix KeyNotFoundException during retry when headers lack correlation ID #5617
• Implement Service Exception for IMDS Probe #5615